Security researchers have recently revealed a few new major security flaws that could have affected many hotel guests and users of Amazon’s Alexa-enabled products, respectively, but both issues now appear to be fixed.
Researchers at F-Secure discovered a flaw which allowed them to take any electronic hotel keycard — including cards that were already used or discarded — and take the data to create a master key allowing access “to open any room in the building.”
The software — Vision by VingCard — is “used to secure millions of hotel rooms worldwide.” The world’s largest lock manufacturer, Assa Abloy, has issued software updates to fix the issue, F-Secure says.
This would understandably be a major concern, but the likelihood of such an attack actually occurring at some point in recent years seems to be unfeasible. It took years for researchers to develop the attack, and F-Secure’s Tomi Tuominen also noted, “We don’t know of anyone else performing this particular attack in the wild right now.”
A Spying Skill
Meanwhile, researchers at Checkmarx have revealed they set out to develop a skill that could turn an Alexa-enabled Echo device into a secret recording and transcribing device that could send all information to a malicious hacker.
After successfully developing such an Alexa “skill,” Checkmarx says it “disclosed this attack scenario to Amazon Lab126 and worked closely with their team to mitigate the risk.”
An Amazon spokesperson told Gizmodo, “We have put mitigations in place for detecting this type of skill behavior and reject or suppress those skills when we do.”
While it appears that trouble was avoided twice on these particular occasions, they don’t completely alleviate fears about these devices. It doesn’t seem impossible for someone hacker to develop another sort of hotel keycard hack — you should be using your inner locks when you’re in your hotel room, if you haven’t been doing so already.
Amazon’s Alexa still carries its own set of concerns as well. The company’s Echo devices open up a number of intriguing home automation possibilities, but there are still worries about what happens to user voice data. Amazon announced its new Echo Dot Kids Edition on Wednesday.